The Basics of a Trojan Virus
This tutorial will discuss the basics of a trojan virus
In the context of computer software, a Trojan horse is a program that contains or installs a malicious program (sometimes called the payload or ‘trojan’). The term is derived from the classical myth of the Trojan Horse. Trojan horses may appear to be useful or interesting programs (or at the very least harmless) to an unsuspecting user, but are actually harmful when executed.
Often the term is shortened to simply trojan, even though this turns the adjective into a noun, reversing the myth (Greeks, not Trojans, were gaining malicious access).
There are two common types of Trojan horses. One, is otherwise useful software that has been corrupted by a cracker inserting malicious code that executes while the program is used. Examples include various implementations of weather alerting programs, computer clock setting software, and peer to peer file sharing utilities. The other type is a standalone program that masquerades as something else, like a game or image file, in order to trick the user into some misdirected complicity that is needed to carry out the program’s objectives.
Trojan horse programs cannot operate autonomously, in contrast to some other types of malware, like viruses or worms. Just as the Greeks needed the Trojans to bring the horse inside for their plan to work, Trojan horse programs depend on actions by the intended victims. As such, if trojans replicate and even distribute themselves, each new victim must run the program/trojan. Therefore their virulence is of a different nature, depending on successful implementation of social engineering concepts rather than flaws in a computer system’s security design or configuration.
– A Trojan (or a Trojan horse) is a destructive program that masquerades as a benign application. Unlike viruses, Trojan horses do not replicate themselves but they can be just as destructive.
– “Hacker” is a slang term for a computer enthusiast. Among professional programmers, the term hacker implies an amateur or a programmer who lacks formal training. Depending on how it used, the term can be either complimentary or derogatory, although it is developing an increasingly derogatory connotation.
– A client is defined as a requester of services and a server is defined as the provider of services.
“IP Address” (Internet Protocol Address)
– The address of a computer attached to a TCP/IP network (e.g. the Internet). Every client and server must have a unique IP address. Client workstations have either a permanent address or one that is dynamically assigned to them each dial-up session. IP addresses are written as four sets of numbers separated by periods; for example, 192.168.111.222
– In an TCP/IP network (e.g. the Internet), a port represents an endpoint in the establishment of a connection between computers. For the computer that acts as the server, the port number will typically identify the type of service it is. For example, TCP port 80 is used for HTTP, TCP port 21 is used for FTP, and TCP port 25 is used for SMTP . It should be noted that there are 65,535 (64K) port numbers!
Which PC’s can be affected?
Depending on the trojan involved, they’re designed to affect Windows 95/98 PC’s, Windows NT PC’s, or both.
How do the trojans work?
How a hacker establishes the connection to another user’s computer, is that the hacker running the “client” portion establishes a connection to the IP address of a known PC that has the “server” portion installed upon it
If the hacker running the “client” portion doesn’t know the IP address of the user’s PC which has been compromised by the “server” portion. The hacker usually initiates a series of connections to a large range of IP addresses on the Internet (known as “scanning”), looking for any PC that responds back to the attempt. If a PC responds back, it responds with its IP address. Then all the hacker has to do, is to establish a connection to that IP address.
Keep in mind that 99% of the time, the hacker doesn’t have a specific target (or victim) to begin with, so any PC that answers back to their attempted connections satisfy their goal of hacking into another’s PC.
Because the “server” portion is configured to use (or “listen” on) a particular port number, it’s the client who attempts a connection to that specific port number to initiate the connection between computers.
NOTE: Some trojans may use more than one port number. This is because one port is used for “listening” and the other/s are used for the transfer of data.
In their default configurations, the following trojans use:
Back Orifice – UDP port 31337 or 31338
Deep Throat – UDP port 2140 and 3150
NetBus – TCP port 12345 and 12346
Whack-a-mole – TCP port 12361 and 12362
NetBus 2 Pro – TCP port 20034
GirlFriend – TCP port 21544
Sockets de Troie – TCP port 5000, 5001 or 50505
Masters Paradise – TCP port 3129, 40421, 40422, 40423 and 40426
Devil – port 65000
Evil FTP – port 23456
GateCrasher – port 6969
Hackers Paradise – port 456
ICKiller – port 7789 ICQTrojan – port 4590
Phineas Phucker – port 2801
Remote Grab – port 7000
Remote Windows Shutdown – port 53001
Types of Trojan horse payloads
Trojan horse payloads are almost always designed to do various harmful things, but could be harmless. They are broken down in classification based on how they breach systems and the damage they cause. The seven main types of Trojan horse payloads are:
- Remote Access
- Email Sending
- Data Destructive
- Proxy trojan (disguising others as the infected computer)
- FTP trojan (adding or copying data from the infected computer)
- security software disabler
- denial-of-service attack (DoS)
- URL trojan (directing the infected computer to only connect to the internet via an expensive dial-up connection)
Some examples are:
- erasing or overwriting data on a computer.
- encrypting files in a cryptoviral extortion attack.
- corrupting files in a subtle way.
- upload and download files.
- allowing remote access to the victim’s computer. This is called a RAT (remote administration tool).
- spreading other malware, such as viruses. In this case the Trojan horse is called a ‘dropper’ or ‘vector’.
- setting up networks of zombie computers in order to launch DDoS attacks or send spam.
- spying on the user of a computer and covertly reporting data like browsing habits to other people (see the article on spyware).
- make screenshots.
- logging keystrokes to steal information such as passwords and credit card numbers (also known as a keylogger).
- phish for bank or other account details, which can be used for criminal activities.
- installing a backdoor on a computer system.
- opening and closing CD-ROM tray.
- harvest e-mail addresses and use them for spam.
- Restarts the computer whenever the infected program is started.
Methods of Infection
The majority of trojan horse infections occur because the user was tricked into running an infected program. This is why it is advised to not open unexpected attachments on emails — the program is often a cute animation or a sexy picture, but behind the scenes it infects the computer with a trojan or worm. The infected program doesn’t have to arrive via email, though; it can be sent to you in an Instant Message, downloaded from a Web site or by FTP, or even delivered on a CD or floppy disk. (Physical delivery is uncommon, but if you were the specific target of an attack, it would be a fairly reliable way to infect your computer.) Furthermore, an infected program could come from someone who sits down at your computer and loads it manually. The chances of receiving the virus through an instant message are very low. It is usually received through a download.
Drive By Websites: You can be infected by visiting a rogue website.
Email: If you use Microsoft Outlook, you’re vulnerable to many of the same problems that Internet Explorer has, even if you don’t use IE directly.
Open ports: Computers running their own servers (HTTP, FTP, or SMTP, for example), allowing Windows file sharing, or running programs that provide filesharing capabilities such as Instant Messengers (AOL’s AIM, MSN Messenger, etc.) may have vulnerabilities similar to those described above. These programs and services may open a network port giving attackers a means for interacting with these programs from anywhere on the Internet. Vulnerabilities allowing unauthorized remote entry are regularly found in such programs, so they should be avoided or properly secured.
A firewall may be used to limit access to open ports. Firewalls are widely used in practice, and they help to mitigate the problem of remote trojan insertion via open ports, but they are not a totally impenetrable solution, either.
Precautions against Trojan horses
Trojan horses can be protected against through end-user awareness, namely to treat them like a virus. Viruses can cause a great deal of damage to a personal computer but even more damage to a business, particularly a small business that usually does not have the same virus protection capabilities as a large business. Since a Trojan Horse virus payload is hidden, it is harder to protect yourself or your company from it, but there are things that you can do.
Trojan Horses are most commonly spread through an e-mail, much like other types of common viruses. The only difference being of course is that a Trojan Horse payload is hidden. The best ways to protect yourself and your company from Trojan Horses are as follows:
- If you receive e-mail from someone that you do not know or you receive an unknown attachment, never open it right away. As an e-mail user you should confirm the source. Some hackers have the ability to steal address books, so if you see e-mail from someone you know, it is not necessarily safe.
- When setting up your e-mail client, make sure that you have the settings so that attachments do not open automatically. Some e-mail clients come ready with an anti-virus program that scans any attachments before they are opened. If your client does not come with this, it would be best to purchase one or download one for free.
- Make sure your computer has an anti-virus program on it and update it regularly. If you have an auto-update option included in your anti-virus program you should turn it on; that way if you forget to update your software you can still be protected from threats
- Operating systems offer patches to protect their users from certain threats. Software developers like Microsoft offer patches that in a sense “close the hole” that the Trojan horse or other virus would use to get through to your system. If you keep your system updated with these patches, your computer is kept much safer.
- Avoid using peer-to-peer or P2P sharing networks like Kazaa, Limewire, Ares, or Gnutella because they are generally unprotected from viruses and Trojan Horse viruses spread through them especially easily. Some of these programs do offer some virus protection, but this is often not strong enough. If you insist on using P2P, it would be safe to not download files that claim to be “rare” songs, books, movies, pictures, etc